I am just staring to learn assembly and reverse engineering. I know this is a very basic question, but still I am not 100% sure if I have got the right answer. __p___argv returns the arguments passed to the program and stores the return value in eax.
My question relate to the code:
call __p___argv
mov edi, [eax]
eax would contain the memory address of argv[0], is this correct? argv[0] is not actually the first parameter passed by the user but something else, and the parameters passed by the user start at argv[1]? [eax] would access memory at location specified in eax, the value of argv[0] is moved to edi?In VC++, __p___argv is declared as follows:
__declspec(dllimport) char*** __cdecl __p___argv (void);
In MinGW, __p___argv is declared as follows:
extern char*** __p___argv(void);
In both cases, the function returns a pointer to a location that contains the address of the argv array (i.e., the address of the first element) in eax/rax.
The first parameter passed by the user is always argv[1] and the address of this parameter is stored in the second element of the argv array. So you'll have to first dereference eax/rax and then add 4/8 bytes to the resulting address to get to the address of the first parameter passed by the user.
You can alternatively use __argv, which is a variable that is equivalent to *__p___argv().